TUM Logo

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection

Authors: Sergej Proskurin, Julian Kirsch, and Apostolis Zarras
Year/month: 2018/9
Booktitle: IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC)
Note: Ranked 3rd
Fulltext: 2018-ifipsec-whiterabbit.pdf

Abstract

The growing complexity of modern malware drives security applications to leverage Virtual Machine Introspection (VMI), which provides a complete and untainted view over the Virtual Machine state. To benefit from this ability, a VMI-aware Virtual Machine Monitor (VMM) must be set up in advance underneath the target system; a constraint for the massive application of VMI. In this paper, we present WhiteRabbit, a VMI framework comprising a microkernel-based VMM that transparently virtualizes a running Operating System, on-the-fly, for the purpose of forensic analysis. As a result, the systems to be analyzed do not have to be explicitly set up for VMI a priori. After its deployment, our framework exposes VMI services for remote applications: WhiteRabbit implements a LibVMI interface that enables it to be engaged by popular VMI applications remotely. Our prototype employs Intel as well as ARM virtualization extensions to take over control of a running Linux system. WhiteRabbit’s on-the-fly capability and limited virtualization overhead constitute an effective solution for malware detection and analysis.

Bibtex:

@conference {
author = { Sergej Proskurin and Julian Kirsch and Apostolis Zarras },
title = { Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection },
year = { 2018 },
month = { September },
booktitle = { IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC) },
note = { Ranked 3rd },
url = {https://www.sec.in.tum.de/i20/publications/follow-the-whiterabbit-towards-consolidation-of-on-the-fly-virtualization-and-virtual-machine-introspection/@@download/file/2018-ifipsec-whiterabbit.pdf}
}